Heartbleed Causing More Heartburn for OpenSSL & Site Owners

The site that was one of the first to raise the alarm about the Heartbleed OpenSSL security bug was also among the first to get overconfident about how dangerous it could be, and get stung for it. On April 11, CloudFlare, Inc. -- one of the sites who got the news about Heartbleed early so it could fix its own code before the flaw became public knowledge -- announced that its coders had tried for two weeks to use the flaw to extract a private key from their own server, with no success. Other researchers had been able to pull usernames and passwords, browser cookies, site-administrator logins, and any other data that had recently been read into a vulnerable server's memory, but no one had been able to get a server's X.509 private encryption key -- the secret part of the public/private key encryption model on which most encryption of messages depend on the Internet.

"After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data," CloudFlare researcher Nick Sullivan wrote in an April 11 blog asking the Internet to have a go at the same problem -- and at a CloudFlare server with the Heartbleed flaw. "If it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible."

It took less than three hours for Moscow-based Node.js programmer Fedor Indutny to extract the private key, using an @node.js script, which he used to send 2.5 million queries in the hope one would come back with the key.

It took the second winner, Ilkka Mattila, at NCSC-FI, nine hours and 100,000 requests. There were two more winners by the end of Saturday, April 12. By the end of the day, anyone clicking on the URL for Heartbleed Challenge, which CloudFlare put up to host the project, got a response saying the server's X.509 certificate had been revoked and its identity could no longer be confirmed.

CloudFlare pulled the certificate itself, according to a follow-up blog from Sullivan naming the winners. He explained that CloudFlare pulled the certificate as part of its own remediation effort, which was extended to include revoking and reissuing the certificates for its own sites and those of its customers. CloudFlare executives had hoped to avoid the effort and cost of replacing the certificates, as well as inevitable errors from the inconsistent, often convoluted process of not only replacing old certificates with new, but actively revoking the old certificates and making the revocation stick.

I still can't stop wondering why so many websites are still reluctant to share information with their users and visitors when it comes to the subject of the effect that the Heartbleed vulnerability has had on the sites since it was exposed since this is something that affects everyone but was hardly their fault. I love the approach taken by CloudFare in including freelancers to help fix the problem though even they should have so much earlier and save all those wasted man hours.

This is just another example of the havoc that Heartbleed has left in its wake since the security vulnerability was discovered. This is just one of the few stories that have seen the light of day and there are many other stories that are a lot more serious but which you will probably never to hear about. Maybe it is because the site owners have not succeeded in solving the problem and fixing the gaps on their end or it may be because they don't want to alarm their users and visitors but either way, they are very unlikely to give you this kind of information.